The financial security of higher education is experiencing a bigger threat than student retention. If you are wondering what this might be, data breaches are the answer.
As institutions of higher learning including universities and colleges start adopting mobile technologies, they are finding themselves being targeted by hackers and other malicious actors. Nonetheless, learning more about the latest security breaches affecting the higher education space can teach institutions valuable lessons regarding information security.
How Multifactor Authentication Safeguards Admissions Data
Early in March 2019, malicious actors gained access to the admissions information belonging to three learning institutions, including Oberlin, Hamilton, and Grinnell. After that, they sent all the applicants emails containing individually identifiable details (such as birth dates).
All traces of the breach pointed to Slate, which is a software used by most higher education institutions in managing applicant data. The SaaS platform, utilized by more than 800 institutions of higher learning globally conveys texts, new applications, and emails. According to Slate, the unauthorized access was as a result of unpermitted users gaining access to password-reset systems of the colleges.
The absence of multifactor authentication enabled the cybercriminals to breach the platform. Aside from the hassle associated with notifying the affected students about the data breach, such attacks could jeopardize student enrollment in colleges. For instance, students concerned about data control and protection might consider attending higher education institutions with stronger cybersecurity measures.
The Significance of Protecting your Email
In late February 2019, Florida Keys Community College reported a data breach stemming from unpermitted access to employee email that took place between May 5 and November 5 last year (2018). The college uncovered suspicious activity on October 19, 2018. In early January 2019, the Florida Keys Community College verified the identities of the individuals affected by the data breach. The individually identifiable data included information such as passwords, usernames, medical information, passport information, social security numbers, dates of birth, addresses, and names.
The 2018 Ponemon Cost of a Data Breach Report revealed that the mean time to identify a system breach was 197 days, whereas the mean time to contain it was 69 days. Considering such timing, Florida Keys Community College did a better job than other institutions. It took the college 167 days to spot the unusual activity and contained it in seven days.
In terms of grading, the college earns an A- and C+ for incident response and identification respectively.
Based on the number of accessed email accounts, the malicious actors could have leveraged weaknesses in the SMTP authentication controls, the number of links to servers, IP and domain configurations, or other network security problems.
The Importance of Vendor Risk Management in Protecting Student Records
Stanford Daily said that a student uncovered a weakness in NolijWeb, a third-party system for managing content that enabled the institution’s applicants to view all their Common Application forms. Back in 2015, the system started allowing students to access their records. Nonetheless, NolijWeb utilized student IDs as part of the URL of the files. As such, anybody could access the records by altering several characters.
Upon realizing that, Stanford promptly blocked the application’s access and suspended all online access to the enrollment records that are under protection by the Family Educational Rights and Privacy Act (FERPA).
With a user requiring a verified student login to operate the site, the constant audits allowed the vendor to have a clean record. Nevertheless, what this means is that both NolijWeb and Stanford did not have an idea of how long the weakness was present in the system.
All these breaches mainly focus on weaknesses associated with third-party vendors and permission problems.
That being said, here are four steps towards protecting data in the higher education sector:
1. Spot the Risk
Institutions of higher learning ought to concentrate more on finding all the locations that collect, transmit, and store data. Irrespective of whether they are using an upgraded legacy provider or new integration, universities and colleges have to devote more attention to identifying the risk.
2. Secure Networks
Higher education revolves around multiple networks, forming a complicated architecture. Guest wireless links, email servers, and library domains make up just several of these potentially dangerous networks. Higher education institutions must be more diligent in creating controls, especially over such networks to safeguard data.
3. Focus on User Authentication and Access
After graduating, students’ access to networks, software, and systems ought to be revoked. Graduates pose authentication and access risks to institutions. Furthermore, universities and colleges should be diligent when it comes to implementing multi-factor authentication.
4. Monitor Vendor Risk
Similar to how higher education institutions expect their next first years to provide proof of their academic proficiency, they should also make sure that vendors demonstrate their security proficiency. Upon identifying risk, universities and colleges have to ensure that they analyze and assess the threat posed to their information by third parties. All SaaS providers that gather, transmit, or store staff, student, and faculty information must ensure that their security controls are aligned with the risk tolerance of the institution.